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1 This action is in response to the communication filed on 12/05/2005. 

2 Continued Examination Under 3 7 CFR LI 14 

3 A request for continued examination under 37 CFR 1.114, including the fee set forth in 

4 37 CFR 1 . 1 7(e), was filed in this application after final rejection. Since this application is 

5 eligible for continued examination under 37 CFR 1 .1 14, and the fee set forth in 37 CFR 1 .17(e) 

6 has been timely paid, the finality of the previous Office action has been withdrawn pursuant to 

7 37 CFR 1.1 14. Applicant's submission filed on 12/05/2005 has been entered. 



8 Response to Arguments 

9 Applicant's arguments with respect to claims 1-32 have been considered but are moot in 

10 view of the new ground(s) of rejection. 

1 1 The new ground(s) of rejection are based on different portions of the previously cited art 

12 (i.e. PAC). 

13 DETAILED ACTION 

14 All objections and rejections not set forth below have been withdrawn. 

15 Claims 1-32 have been examined. 

1 6 Claim Rejections - 35 USC § 1 03 

17 The following is a quotation of 35 U.S.C. 103(a) which forms the basis for all 

18 obviousness rejections set forth in this Office action: 

1 9 A patent may not be obtained though the invention is not identically disclosed or 

20 described as set forth in section 102 of this title, if the differences between the subject matter 

2 1 sought to be patented and the prior art are such that the subject matter as a whole would have 

22 been obvious at the time the invention was made to a person having ordinary skill in the art to 

23 which said subject matter pertains. Patentability shall not be negatived by the manner in which 

24 the invention was made. 
25 



Application/Control Number: 09/921,536 Page 3 



Art Unit: 2131 

1 Claims 1-2, 23-25, and 26-32 are rejected under 35 U.S.C. 103(a) as being unpatentable 

2 over Brezak et al. (US Patent Application Publication 2003/0018913) hereinafter referred to as 

3 Brezak, and further in view of Ganesan (US Patent Number 5,535,276). 

4 Regarding claim 1, Brezak disclosed a method for a middle tier server to impersonate a 

5 client to a plurality of servers, the method comprising: obtaining a common nonce associated 



6 with each of the plurality of servers from an entity other than the client or the plurality of servers 

7 (See Brezak Fig. 2 and Paragraph 0043 and Paragraph 0049 "PAC"); providing the common 

8 nonce to the client (See Brezak Fig. 2 Paragraph 0043 Lines 3-6); receiving the common nonce 

9 at the middle tier server (See Brezak Paragraph 0043 Lines 6-9), and providing the common 



10 nonce to the plurality of servers as a signature for transactions so as to authenticate the client to 

1 1 the plurality of servers (See Brezak Paragraph 0044, Paragraph 0055 Lines 12-14, and Paragraph 

12 0057 Lines 3-7). 

13 However, Brezak failed to disclose the client signing the common nonce (PAC). 

14 Ganesan teaches that in a ticketing system, in order to protect against dictionary attacks, 



1 5 the ticket should be encrypted by the ticket granting system with the key shared between the 

16 server to be accessed and the ticket granting server (See Ganesan Col. 5 Lines 34-56), and the 

17 user should sign the ticket (TEMP-CERT) (See Ganesan Col. 15 Lines 45-60). 



18 It would have been obvious to the ordinary person skilled in the art at the time of 

19 invention to employ the teachings of Ganesan in the ticketing system of Brezak by having the 

20 ticket encrypted with server/ticket granting system keys, and having the client sign the service 

21 ticket before sending the ticket to the Server A. This would have been obvious because the 
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1 ordinary person skilled in the art would have been motivated to provide protection against 

2 dictionary attacks against the ticket. 

3 Regarding claim 26, the combination of Brezak and Ganesan disclosed a system for a 

4 middle tier server to impersonate a client to a plurality of servers, the system comprising: means 

5 for obtaining a common nonce associated with each of the plurality of servers from an entity 

6 other than the client or the plurality of servers (See Brezak Fig. 2 and Paragraph 0043 and 

7 Paragraph 0049 "PAC"); means for providing the common nonce to the client (See Brezak Fig. 2 

8 Paragraph 0043 Lines 3-6)); means for receiving the common nonce singed by the client at the 

9 middle tier server (See Brezak Paragraph 0043 Lines 6-9 and Ganesan Col. 15 Lines 45-60), and 

10 means for providing the common nonce to the plurality of servers as a signature for transactions 

11 so as to authenticate the client to the plurality of servers (See Brezak Paragraph 0044 and 

12 Paragraph 0055 Lines 12-14 and Paragraph 0057 Lines 3-7). 

13 Regarding claim 27, the combination of Brezak and Ganesan disclosed a computer 

14 program product (See Brezak Paragraph 001 5) for a middle tier server to impersonate a client to 

15 a plurality of servers, comprising: a computer readable media having computer readable program 

16 code embodied therein, the computer readable program code comprising: computer readable 

17 program code that obtains a common nonce associated with each of the plurality of servers from 

1 8 an entity other than the client or the plurality of servers (See Brezak Fig. 2 and Paragraph 0043 

19 and Paragraph 49 "PAC"); computer readable program code that provides the common nonce to 

20 the client (See Brezak Fig. 2 Paragraph 0043 Lines 3-6)); computer readable program code that 

21 receives the common nonce singed by the client at the middle tier server (See Brezak Paragraph 

22 0043 Lines 6-9 and Ganesan Col. 15 Lines 45-60), and computer readable program code that 
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1 provides the common nonce to the plurality of servers as a signature for transactions so as to 

2 authenticate the client to the plurality of servers (See Brezak Paragraph 0044 and Paragraph 0055 

3 Lines 12-14 and Paragraph 0057 Lines 3-7). 

4 Regarding claim 28, the combination of Brezak and Ganesan disclosed a method of 

5 authenticating a client, comprising: receiving at a server of a plurality of servers, a common 

6 nonce that is provided to each of the plurality of servers from an entity other than the client of 

7 the plurality of servers (See Brezak Paragraphs 0048-0049 and 0057), the common nonce being 

8 signed by the client (See Ganesan Col. 15 Lines 45-60), and authenticating the client based on 

9 the received signed common nonce (See Brezak Paragraphs 0048-0049 and 0057). 

10 Regarding claim 3 1, the combination of Brezak and Ganesan disclosed a system for 

1 1 authenticating a client, comprising: means for receiving at a server of a plurality of servers, a 

12 common nonce that is provided to each of the plurality of servers from an entity other than the 

13 client of the plurality of servers (See Brezak Paragraphs 0048-0049 and 0057), the common 

14 nonce being signed by the client (See Ganesan Col. 15 Lines 45-60), and means for 

1 5 authenticating the client based on the received signed common nonce (See Brezak Paragraphs 

16 0048-0049 and 0057). 

17 Regarding claim 32, the combination of Brezak and Ganesan disclosed a computer 

18 program product for authenticating a client, comprising: a computer readable media having 

19 computer readable program code embodied therein (See Brezak Paragraph 001 5), the computer 

20 readable program code comprising: computer readable program code which receiving at a server 

21 of a plurality of servers, a common nonce that is provided to each of the plurality of servers from 

22 an entity other than the client of the plurality of servers (See Brezak Paragraphs 0048-0049 and 
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1 0057), the common nonce being signed by the client (See Ganesan Col. 15 Lines 45-60), and 

2 computer readable program code which authenticates the client based on the received signed 

3 common nonce (See Brezak Paragraphs 0048-0049 and 0057). 
4 

5 Regarding claims 2 and 30, the combination of Brezak and Ganesan disclosed that the 

6 common nonce is generated based on information provided by each of the plurality of servers 

7 (See Ganesan Col. 5 Lines 34-56). 

8 Regarding claim 23, the combination of Brezak and Ganesan disclosed that the step of 

9 obtaining a common nonce comprises the steps of: obtaining the common nonce from a party 

10 trusted by the middle-tier server and the plurality of servers, the common nonce being signed by 

1 1 the trusted party; and verifying the signature of the common nonce is the signature of the trusted 

12 party (See the rejection of claim 1 above, especially Ganesan Col. 5 Lines 34-56). 

13 Regarding claim 24, the combination of Brezak and Ganesan disclosed that at least one of 

14 the plurality of servers carries out the steps of: receiving a client certificate, determining if the 

1 5 client certificate is trusted; and indicating that the client is not authenticated if the client 

16 certificate is not trusted (See Brezak Paragraph 0055). 

17 Regarding claim 25, the combination of Brezak and Ganesan disclosed that at least one of 

18 the plurality of servers carries out the steps of: receiving the signed common nonce and a client 

19 certificate; determining if the signature of the signed common nonce corresponds to a signature 

20 of the client certificate; and indicating that the client is not authenticated if the signature of the 

21 signed common nonce does not correspond to the signature of the client certificate (See Ganesan 

22 Col. 16 Line 64 - Col. 17 Line 5 and Col. 17 Lines 56-61). 



Application/Control Number: 09/921,536 Page 7 

Art Unit: 2131 



1 Regarding claim 29, the combination of Brezak and Ganesan disclosed that the common 

2 nonce is provided by a trusted third party (See Brezak Paragraph 43). 
3 

4 Claims 3, 5, 7-11, and 14-15 are rejected under 35 U.S.C. 103(a) as being unpatentable 

5 over the combination of Brezak and Ganesan as applied to claim 2 above, and further in view of 

6 Ford (US Patent Number 6,829,356). 

7 Regarding claim 3, Brezak and Ganesan disclosed generating the common nonce based 

8 on information obtained from each of the plurality of servers (See the rejection of claim 2 

9 above), but failed to disclose obtaining pre-nonce contributions from the plurality of servers; 

10 combining the pre-nonce contributions to provide a single pre-nonce token; and providing the 

1 1 common nonce based on the pre-nonce token. 

12 Ford teaches a system in which a client can authenticate to a plurality of servers by 

13 signing proof data generated from a plurality of nonces associated with a plurality of servers (See 

14 Ford Col. 15 Line 9 - Col. 16 Line 14) involving obtaining pre-nonce contributions from the 

15 plurality of servers (See Ford Col. 15 Lines 24-31); combining the pre-nonce contributions to 

16 provide a single pre-nonce token; and providing the common nonce based on the pre-nonce 

17 token (See Ford Col. 15 Lines 56-61). 

18 It would have been obvious to the ordinary person skilled in the art at the time of 

19 invention to employ the teachings of Ford in the ticketing and authentication system of Brezak 

20 and Ganesan by providing the ticket granter with server nonces, combining the nonces, and 

21 placing the nonces in the ticket to be signed. This would have been obvious because the ordinary 
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1 person skilled in the art would have been motivated to provide strong secret data which could be 

2 verified in the ticket. 

3 Regarding claim 5, the combination of Brezak, Ganesan, and Ford disclosed that the step 

4 of combining the pre- nonce contributions to provide a single pre-nonce token comprises 

5 concatenating the pre-nonce contributions (See Ford Col. 15 Lines 56-61). 

6 Regarding claim 7, the combination of Brezak, Ganesan, and Ford disclosed that the step 

7 of obtaining pre-nonce contributions comprises the steps of: requesting a pre-nonce contribution 

8 from each of the plurality of servers (See Ford Col. 15 Paragraph 2); and receiving the pre-nonce 

9 contributions from the plurality of servers (See Ford Col. 15 Paragraph 2). 

10 Regarding claim 8, the combination of Brezak, Ganesan, and Ford disclosed that 

1 1 requesting a pre-nonce contribution comprises sending authenticated requests to the plurality of 

12 servers (See Ford Col. 15 Lines 1-22). 

13 Regarding claim 9, the combination of Brezak, Ganesan, and Ford disclosed the step of 

14 encrypting the authenticated requests sent to the plurality of servers (See Ford Col. 15 Paragraph 

15 1). 

16 Regarding claim 10, the combination of Brezak, Ganesan, and Ford disclosed that the 

17 authenticated requests include at least one of an identification of a source of the request, a time 

1 8 stamp and a random number (See Brezak Paragraph 005 1 ). 

19 Regarding claim 1 1, the combination of Brezak, Ganesan, and Ford disclosed that the 

20 pre-nonce contributions include at least one of an identification of a server of the plurality of 

21 servers and a random number (See Ford Col. 15 Lines 24-38, and Line 56 Col. 16 Line 2). 
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1 Regarding claim 14, the combination of Brezak, Ganesan, and Ford disclosed the steps 

2 of: receiving a transaction identification from a trusted server of the plurality of servers; and 

3 associating the transaction identification with the common nonce (See Ford Col. 15 Lines 22- 

4 31). 

5 Regarding claim 15, the combination of Brezak, Ganesan, and Ford disclosed the step of 

6 tracking use of the common nonce based on the transaction identification (See Ford Col. 1 5 Line 

7 22 -Col. 16 Line 2). 

8 Claims 4, 6, 12-13 and 20 are rejected under 35 U.S.C. 103(a) as being unpatentable over 

9 the combination of Brezak, Ganesan, and Ford as applied to claim 3 above, and further in view 

1 0 of Schneier (Applied Cryptography). 

1 1 Regarding claim 4, the combination of Ford and Blakley disclosed providing a common 

12 nonce (See Ford Col. 15 Lines 56-61), but failed to disclose reducing the nonce challenges to 

13 provide the common nonce. However, Ford and Blakley did disclose digitally signing a message 

14 containing the nonce challenges (See Ford Col. 15 Lines 56-61). 

15 Schneier teaches that when digitally signing a message, it is practical to hash the message 

16 and encrypt the hash, with a private key, as the signature, rather than encrypting the whole 

17 message (See Schneier Page 38 Section Signing Documents with Public-Key Cryptography and 

18 One-Way Hash Functions). Schneier also teaches that in such a system, to verify the signature, 

19 the verifier hashes the message, decrypts the signed hash with the signers public key, and verifies 

20 that the two hashes are the same (See Schneier Page 38 Section Signing Documents with Public- 

21 Key Cryptography and One-Way Hash Functions). 
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1 It would have been obvious to the ordinary person skilled in the art at the time of 

2 invention to employ the teachings of Schneier in the digital signatures of Brezak, Ganesan, and 

3 Ford by signing and verifying the hash of the nonce message instead of the whole nonce 

4 message. This would have been obvious because the ordinary person skilled in the art would 

5 have been motivated to increase the speed of the signing method. 

6 Regarding claim 6, the combination of Brezak, Ganesan, Ford, and Schneier disclosed 

7 that the step of reducing the pre-nonce token to provide the common nonce comprises the step of 

8 hashing the pre-nonce token utilizing a one-way hash function so as to provide the common 

9 nonce (See the rejection of claim 4 above). 

10 Regarding claim 20, the combination of Brezak, Ganesan, Ford, and Schneier disclosed 

1 1 that at least one of the plurality of servers carries out the steps of: receiving the signed common 

12 nonce, the common nonce and the pre-nonce token; hashing the received pre-nonce token; 

13 comparing the hashed pre-nonce token to the common nonce; indicating that the client is not 

14 authenticated if the hashed pre-nonce token is different from the common nonce (See Ford Col. 

15 15 Lines 56-65 and Schneier Page 38 Section Signing Documents with Public-Key Cryptography 

16 and One-Way Hash Functions). 

17 Regarding claims 12-13, the combination of Brezak, Ganesan, and Ford disclosed the 

18 client checking the nonce challenge from the server for requisite strength, and aborting the 

19 authentication process if the nonce challenge did not meet the requisite strength (See Ford Col. 

20 15 Lines 39-41), but failed to disclose that this check included checking the signature of the 

21 nonce challenge to verify that it was signed by the server. 
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1 Schneier teaches that digital signatures provide a means for verifying the sender of a 

2 message (See Schneier Page 37 Signing Documents with Public Key Cryptography). 

3 It would have been obvious to the ordinary person skilled in the art at the time of invention to 

4 employ the teachings of Schneier in the nonce challenge system of Ford and Blakley by having 

5 the server sign the challenges and having the client verify the signature of the challenges before 

6 using the challenges. This would have been obvious because the ordinary person skilled in the 

7 art would have been motivated to protect against illicit alteration of the challenge nonce. 

8 Claims 16-19, and 21-22 are rejected under 35 U.S.C. 103(a) as being unpatentable over 

9 the combination of Brezak, Ganesan, and Ford as applied to claim 3 above, and further in view 

10 of Menezes et al. (Handbook of Applied Cryptography). 

1 1 The combination of Brezak, Ganesan, and Ford disclosed the server receiving the nonce 

12 challenges, and authenticating the client based on whether the nonce challenges included the 

13 nonce challenge of the server (See Ford Col, 1 5 Lines 56-65), but failed to disclose that the 

14 nonce challenges included random numbers. The combination further disclosed using a users 

15 public key to verify the signature of the nonce message by verifying that the signature 

16 corresponded to the signature of the clients private/public key pair (See Ford Col. 15 Lines 56- 

17 65), but failed to disclose that the verifying server got the public key from a public key certificate 

18 and also failed to disclose that the authentication would fail if the certificate was not trusted. 

19 Menezes teaches that nonce challenges can be random numbers (See Menezes Page 398). 

20 Menezes further teaches that when using nonce challenges the challenger should apply a timeout 

21 period to the nonce and not authenticate the client if the response is received after the timeout 

22 period has expired (See Menezes Page 398 Section (i)). Menezes teaches further still that public 
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1 key certificates are a means to store, distribute, and forward public keys without danger of 

2 undetectable manipulation. Menezes also teaches that when using a certificate for 

3 authentication, the certificate is received, the expiration date is checked, the certification 

4 authority validity is checked, the signature of the certificate is checked, and the certificate is 

5 checked to see if it has been revoked, and if these checks pass then the public key is valid (See 

6 Menezes Pages 559-560). 

7 It would have been obvious to the ordinary person skilled in the art at the time of 

8 invention to employ the teachings of Menezes in the nonce challenge system of Brezak, 

9 Ganesan, and Ford by having the nonce challenges be random numbers and by applying and 

10 checking a timeout period to the nonce when authenticating a client. This would have been 

1 1 obvious because the ordinary person skilled in the art would have been motivated to provide 

12 uniqueness and timeliness assurances in the system in order to avoid replay and interleaving 

13 attacks. It further would have been obvious to employ the teachings of Menezes in the 

14 authentication system of Brezak, Ganesan and Ford by obtaining the public key from a public 

15 key certificate and verifying that the certificate is valid in order to use the public key to 

16 authenticate the client. This would have been obvious because the ordinary person skilled in the 

17 art would have been motivated to protect against undetected manipulation of the public key. 

1 8 Conclusion 

19 Claims 1-32 have been rejected. 

20 Any inquiry concerning this communication or earlier communications from the 

21 examiner should be directed to Matthew T. Henning whose telephone number is (571) 272-3790. 

22 The examiner can normally be reached on M-F 8-4. 
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If attempts to reach the examiner by telephone are unsuccessful, the examiner's 
supervisor, Ayaz Sheikh can be reached on (571) 272-3795. The fax phone number for the 
organization where this application or proceeding is assigned is 571-273-8300. 

Information regarding the status of an application may be obtained from the Patent 
Application Information Retrieval (PAIR) system. Status information for published applications 
may be obtained from either Private PAIR or Public PAIR. Status information for unpublished 
applications is available through Private PAIR only. For more information about the PAIR 
system, see http://pair-direct.uspto.gov. Should you have questions on access to the Private PAIR 
system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). 




Matthew Henning 
Assistant Examiner 
Art Unit 2131 
2/21/2006 
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